Trisha Kothari is the co-founder and CEO of Unit21. We talked to Trisha about the infrastructure of risk & compliance in fintech, machine learning and AI as a way to learn about fraud, and the fragmentation of fintech's identity verification layer.
- What led you to found Unit21 to tackle this problem in particular? Why is it especially relevant now?
- How different are the pre- and post-Unit21 worlds?
- Can you talk about the moment of onboarding? How do your customers think about the balance between false positives and false negatives? Are they primarily thinking about Unit21 in terms of managing risk or more about expanding TAM into more customers?
- On your site, you talk about these different customer segments that you have, fintechs, crypto, banks, and consumers, too. Twitter is an interesting one. Can you talk about your product market fit (PMF) across these different categories? Is it essentially evenly distributed? Are there a few where you're really hitting and others which are more where you want to expand into?
- Can you talk about who you think of as the primary customer? And how do you design for being developer-centric as developer middleware, but also have a great workflow tool for the Ops team? How do you think about product complexity and go-to-market complexity?
- An interesting element of Unit21 is it’s like a universal API, like a Plaid, but in that it aggregates a lot of different identity and verification services and provides you one API you can integrate into the workflow. Tell us what's happening at the identity verification layer such that it's so fragmented and there are so many providers?
- When you talk about the sort of rule set that you create, how does the AI machine learning element come into play? Do you help people evolve their workflows automatically? Is there learning that happens based on what occurs later? Do you, after the fact, mark someone as a fraudster or not, etc.?
- In mapping out the market a little, other players included, like Alloy and Sardine, how would you position Unit21? Where is your sweet spot?
- When looking at the comparison materials on Unit21s website, how critical is it that Unit21 has a more flexible data layer, more transaction data, more custom objects, more custom fields type thing? You can integrate with other products, ingest that data, but then there’s a broader data layer that you can do other stuff with as well.
- You said the way that people did this before Unit21 is largely DIY. How do you think about when you suggest, "Hey! Maybe you should do it yourself vs. use Unit21"? What are the pros and cons of that?
- Unit21, from a product standpoint, has onboarding, ongoing transaction monitoring, and case management. Can you talk about the maturity of each of those segments? What are the additional products you can launch on top of your existing platform five years from now?
- If everything goes right for Unit21 in five years, what do you become? How has the world changed as a result?
What led you to found Unit21 to tackle this problem in particular? Why is it especially relevant now?
Starting off, I worked at Affirm for about four years as an engineer and later, as a product manager. Being there fairly early, I got the chance to work on a lot of the fundamental systems, like the ledger and a lot of the risk-related systems.
One thing that I saw was that fraud was constantly evolving. It's not like you write some code and be done with it. All of these companies have an internal fraud operations team in order to combat the new schemes that fraudsters are putting in place. However, the operations team often doesn't have the necessary tooling to be able to really intelligently defend against the fraudsters.
My co-founder, Clarence, has a deep background in machine learning and security—he wrote the O'Reilly book on machine learning and security, and he’s also a lecturer on machine learning and security at Berkeley.
We both had experience in this space, and what we saw was that as fintech was becoming bigger and bigger, and as companies moved to commerce online, there were going to be much more creative schemes and fraud. The core problem we wanted to solve was the lack of useful tooling for fraud operations and compliance operations teams to be able to solve these effectively.
How different are the pre- and post-Unit21 worlds?
The early fraud prevention software was created for traditional brick-and-mortar banks—checking account monitoring software, debit card monitoring software, credit card monitoring software.
At Affirm, we were a payments company, and we would get all of this interesting data about payments: from that data, we learned things like that fraud was very different and much higher than for a hair extension merchant than for a mattress merchant like Casper.
That's really when it clicked for us. We realized that there's something interesting with fintech where the companies are differentiating, not from a geographical perspective like it was with banking 1.0 and with brick-and-mortar banks, but from a product perspective.
So, Affirm was saying that we may not have a location and that you will not know us for there's no relationship with the customer, but we have a different product for you to be able to satisfy whatever needs you may have as an individual. Since companies were differentiating on the product perspective, the old solutions that worked for brick-and-mortar entities would just not work here.
We were a payments company, or a lending company and so, we ended up building a lot of our own infrastructure, which was a cost and a really big time sink and cost sink for the company.
Can you talk about the moment of onboarding? How do your customers think about the balance between false positives and false negatives? Are they primarily thinking about Unit21 in terms of managing risk or more about expanding TAM into more customers?
One of the great things that I learned at Affirm was that we never look at fraud in isolation. We had fraud and false positives—the two metrics that the fraud team was responsible for.
A great way to minimize fraud is to just reject every transaction. You have no business, you have no fraud. It's great, but ultimately that's not really what the company's going for.
So, fraud and growth is really a balance, and that's a big part of what we've been able to help companies reframe. In terms of the analytics capabilities that we provide, we enable them to understand that if they want the growth rate to be the same, then what can they tweak to reduce fraud and vice versa. It helps make the trade-off more explicit.
On your site, you talk about these different customer segments that you have, fintechs, crypto, banks, and consumers, too. Twitter is an interesting one. Can you talk about your product market fit (PMF) across these different categories? Is it essentially evenly distributed? Are there a few where you're really hitting and others which are more where you want to expand into?
It's reasonably well distributed, but I’ll say that we work best with companies that enable the movement of money—whether it’s a bank where you can deposit or withdraw money, or a payment company like Intuit where I can pay you through invoices via QuickBooks, or a crypto exchange where you can buy and sell assets.
That's really where we play and where we have the most product-market fit—where the liability of the risk is on the bank or the financial institution, either because they are responsible for fraud loss, or because they have some regulatory obligation to look at fraud from a compliance perspective.
There are some really awesome companies where maybe, let's say, you get scammed. If there's a romance scam and you meet someone through Tinder for example, and then, it turns out to be a scam, the bank today, is ultimately not responsible for you sending $10K to somebody else. It will turn out be a scam and that's completely on you.
In those cases, there are banks and there are definitely fintech companies, generally financial services companies that are more on the cutting edge and really have consumer protection at the core. They do more, but that's more of a nice-to-have versus a must-have.
Can you talk about who you think of as the primary customer? And how do you design for being developer-centric as developer middleware, but also have a great workflow tool for the Ops team? How do you think about product complexity and go-to-market complexity?
Ultimately, our users are the risk and compliance teams that are responsible for fraud mitigation or preventing money laundering on the platform.
In terms of the platform, to your point, we work with many different types of use cases. Since the very beginning, it has been really important for the platform to be able to work with diverse types of data, across varied companies, and their different types of data schemas. Now, in working with different types of data schemas, we've had to make the platform very customizable.
But again, we are serving a user base that is non-technical. So, to make the platform extremely customizable for a non-technical user base, it really had to be a very no-code centric product philosophy of how can someone who's a strong business user but not necessarily have the engineering know-how be able to get in deep, understand the data, and be able to prevent bad activity proactively.
We primarily sell into folks like departmental VPs of risk or compliance.
An interesting element of Unit21 is it’s like a universal API, like a Plaid, but in that it aggregates a lot of different identity and verification services and provides you one API you can integrate into the workflow. Tell us what's happening at the identity verification layer such that it's so fragmented and there are so many providers?
A big reason the identity verification layer is fragmented is because it just has so many different parts.
One example of a part of identity is the selfie—I'm going to take my passport, take a selfie, and do a document verification.
But there's also another layer of that identity—the SSN verification—that verifies that the SSN belongs to you. There are a lot of different elements of what makes up an identity, and there are a lot of different geographical implications. Whether you are a US individual or a UK individual, the providers are often very different. If you're a company that has users in the US and the UK, you will have to have a set of different providers.
I think we're less like Plaid. We don't connect to them, but companies send us any data that they want, including the identity data, transaction data, and data about—Did the user log in? Did they change their admin on the account? Companies can also use that to build a strong decision engine to prevent fraud and money laundering.
With regard to how a lot of these identity or fraud type providers work, our take is, let's say you're a payments company and you have an ACH fraud problem. You come to me, and I give you an ACH fraud score. I say, "You have a wire fraud problem." You say, "Here's my wire fraud score." If you have a credit card problem, you come to me and I say, "Here's the credit card fraud score." But that's not actually how the fraudster thinks. They don't think, "10:00 AM, I'm going to do wire fraud. 11:00 AM, I'm going to do credit card fraud." They're just trying to manipulate you and look at the weaknesses in your organization.
Our take is to look at the breadcrumbs before the payment actually happens, because the fraud happens well before the payment. Whether that includes whatever identity information, behavioral information, or whatever action the user is taking in the application, and combining that to create a holistic user profile and conduct analytics on that, is really where we sit.
However, the real reason it's fragmented is because there's so many different parts of an identity and the types of data that you can use to identify fraud.
When you talk about the sort of rule set that you create, how does the AI machine learning element come into play? Do you help people evolve their workflows automatically? Is there learning that happens based on what occurs later? Do you, after the fact, mark someone as a fraudster or not, etc.?
In terms of fraud today, a lot of the approach has been very black box. I'll give you a score—eight on 10, nine on 10, 10 on 10—and then, you decide to use that score and then say, "Okay, I'm going to accept the transaction or reject the transaction." But that's not really worked out very well, because an eight on 10 for Robinhood might not be the same as an eight on 10 for Bank of America.
What we do is, we look at how the company dispositions fraud and how they react to previous fraud, in advance, and then create custom scores for them. These are explainable so companies can understand why this particular alert was scored higher than another alert.
That's really our approach to fraud. It’s customized to your business as is our approach to AI as well.
Where Unit21 really is, is the core risk and compliance infrastructure. A lot of people use us with Alloy and Sardine, for example, Sardine has a Device Intelligence SDK. Companies send us signals from the Device Intelligence SDK, combine it with their transaction information, their onboarding information, their action on the application, and then, create a holistic user profile in Unit21 and conduct user analytics on Unit21 thereby, proactively responding to fraud.
How we really work with a lot of these players, like Sardine, in the ecosystem is that they become our partners rather than just stay purely competitors. A ton of their customers use us as the core decisioning layer. The same thing happens with Alloy.
Alloy has an identity engine, which works well for many companies. But ultimately, the fraud does not happen on the identity layer. The fraud happens after you've passed the KYC checks, and you're actually initiating the transaction. So what can we look at after the identity? We must include that identity data, but before the transaction happens to prevent a fraud event from occurring.
When looking at the comparison materials on Unit21s website, how critical is it that Unit21 has a more flexible data layer, more transaction data, more custom objects, more custom fields type thing? You can integrate with other products, ingest that data, but then there’s a broader data layer that you can do other stuff with as well.
That's a really good description. I would say we have a Looker-type product for fraud where you can take in any data, analyze the data however you want, and proactively generate reports for loads or whatever you want out of it in all transactions.
The goal we started Unit21 with is that doing it yourself takes so much time and resources, even with something like Retool, which is awesome. Retool isn't great for proactive blocking or if you want to prevent transactions from taking place. It's not great for real investigative work. It's okay if you just want to see all of the information concerning the user on a page and have an admin dashboard. For purely that purpose, a tool like Retool is fine.
Ultimately, the goal and the way we serve our teams are measured by “How much money did you lose in fraud with what growth rate?” and “What is the cost of compliance? How efficiently are you able to handle your alerts?”
Really, a system that enables you to encapsulate your data model is what we found to be really effective, but that is focused in this world of fraud and AI/ML just because the delta between something like Retool and Unit21, even though I think philosophically, might seem more aligned.
In reality, when you actually use the tools in practice or to build something like Unit21 within Retool, it would really require a lot of custom engineering within Retool to have something like that. The delta almost makes it where if the company has to do a deep investigative work, has to block transactions, or has to do something custom for compliance, then, it doesn't make sense. But if all the company wants is like a dashboard where they can see all the user details, then, something like Retool is totally fine.
Unit21, from a product standpoint, has onboarding, ongoing transaction monitoring, and case management. Can you talk about the maturity of each of those segments? What are the additional products you can launch on top of your existing platform five years from now?
When we started the company, we began with transaction monitoring and then slowly started building out the case management functionalities. The transaction monitoring was really this super customizable decision layer, and we began re-purposing that for onboarding decisions.
Today, from where we are at, we see the same fraud. Fraudsters are the least discriminatory people in the world. They target all of our customers and take money from whoever they can.
What we did late last year—and launched in February this year—was a consortium effort, so we could share all of the data between these different companies and create essentially a shared blacklist kind of system so that companies could proactively know that, "Okay, this user is marked as fraud or potentially could be a bad actor, and I might want to take a similar action to them." We went live with this on February 1 and in the last four and a half months or so, we have hit over 10% of the adult U.S. population's data. This is on the platform already and we expect to end the year with about 25%.
We're really excited about this, because fraudsters are very well coordinated. They don't work as just individuals behind the scenes. They have WhatsApp groups where they're exchanging information and running it like mini businesses. The industry does not have that, and the industry people are so scared of competition that they don't want to collaborate on fraud. But ultimately, the only people who are winning are the fraudsters. So, we're really excited about this initiative.
If everything goes right for Unit21 in five years, what do you become? How has the world changed as a result?
Our goal as a company is to stop bad actors and make the world a safer place and a more just place. What we want to do is really provide the people who are on the front lines of fraud fighting with as much of the data and tooling they need to be able to hit this goal.
Ultimately, if we are successful, that means that there is more financial invention and financial innovation. People are not scared of using the financial ecosystem. People feel safe and secure in transacting online, and the barrier to entry in the whole financial services world decreases.
I'm really excited about what companies that Unit21 enables so that you and I don't have to put money under our beds because we're so scared that it could be stolen from a bank.
This transcript is for information purposes only and does not constitute advice of any type or trade recommendation and should not form the basis of any investment decision. Sacra accepts no liability for the transcript or for any errors, omissions or inaccuracies in respect of it. The views of the experts expressed in the transcript are those of the experts and they are not endorsed by, nor do they represent the opinion of Sacra. Sacra reserves all copyright, intellectual property rights in the transcript. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any transcript is strictly prohibited.